Skill to manage and update google sheet
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this skill with that key can read and change spreadsheets shared with the service account.
The script reads a local Google service-account key and requests the full Google Sheets read/write scope, which is expected for this skill but gives real delegated authority over shared spreadsheets.
const credentials = JSON.parse(fs.readFileSync(credPath, 'utf8')); ... scopes: ['https://www.googleapis.com/auth/spreadsheets']
Use a dedicated service account, share only the specific spreadsheets needed, protect the key file, and rotate or revoke the key if it is no longer needed.
A mistaken or overbroad command could overwrite cells, clear data, or delete a sheet tab.
The documented command set includes operations that can change or remove spreadsheet data. This matches the stated purpose, but the impact can be significant if invoked on the wrong sheet or range.
`write` ... `append` ... `clear` ... `deleteSheet`
Review spreadsheet IDs, ranges, and sheet names before write, clear, or delete actions; consider requiring explicit confirmation for destructive operations.
Installing the skill will rely on npm packages, so the runtime behavior depends on that dependency chain.
The skill is described as having no install spec, but its instructions require installing Node.js dependencies. The included package-lock.json helps with provenance, and the dependency is purpose-aligned.
cd skills/google-sheets && npm install
Install from a trusted environment, keep the lockfile, and review dependency updates before upgrading.